Need Simple Script/filter For All Incoming Email

[EdHosting]

I have decided to outsource my anti-spam/anti-virus filtering to a service company that specializes in this. TCH has modified my MX records so that all email will normally be sent to my spam filtering service before being delivered to my domain on the shared hosting server at TCH. That's working fine right now.

 

But spammers often bypass the MX records and deliver their spam directly to the server that hosts my domain, and bypass the spam service.

 

I do know that the first line of the header records for all incoming mail that has been processed by my spam service will contain the following information:

 

Received: from servername.mySpamFilterService.net [aaa.bbb.ccc.ddd]

 

So I need a script or filter that will discard all incoming messages if the first line of the header doesn't contain "mySpamFilterService.net" or deliver it to the recipients inbox if it does.

 

Could anyone provide a simple script example of how to do this. I've looked everywhere for such a script but have not found one. As more and more small and medium businesses turn to commercial strength spam/virus email filtering services, I think a solution to this problem would be well received by the TCH community.

[TCH-Bruce]

I have never seen a script that works that way. Not to say there isn't one or someone couldn't write one.

 

In cpanel you can create filters that act on something that "contains" something but not the other way around. I know email clients can create "doesn't contain" filters.

 

In a perfect world there would be no spam. But as it is we must deal with it the best we can. I have client side tools that automatically delete spam messages so I don't have to see them.

[EdHosting]

Well Bruce, it turns out you can have advanced filtering options, including "does not contain" matches and the like. But it took a lot of research and testing to figure this out. So I will pass it on to you and any others that need it.

 

TCH is using Exim for their Mail Transfer Agent (MTA). Exim provides for a filter mechanism in a specially formatted filter file which is documented here. Anyone with a minimal understanding of programming can follow the documentation and create some rich filtering of their emails.

 

However, the TCH servers use the standard cPanel application to their customers, which provides only a minimal subset of the Exim filter options. For example you can create a filter to discard an email if it contains something, but not if it does not contain something.

 

The way this works is that when you create a filter in cPanel, it creates two files. The first file is in the root or your domain on the shared TCH server and it's named ".filter". You can look at this file and even modify it if you like, but it will do you no good. That's because cPanel creates a second file named "/etc/vfilters/****" and that file is actually a true Exim formatted filter file. But of course, that file is not directly accessible by TCH customers.

 

So I opened up a support ticket requested that my vfilters file be changed to the following (between the dashed lines):

-----------------------------------------------------------------------------

# Exim filter

 

if not first_delivery and error_message then finish endif

 

if

$header_received: does not contain "myfiltercompany.net" and

$header_received: does not contain "tchmachines.com"

then

save "/dev/null" 660

endif

------------------------------------------------------------------------------

 

Basically, this filter directs the Exim MTA to discard any incoming emails if they were not received from either my filtering service company or the TCH server itself. And I was pleasantly surprised that Alex on the TCH support staff accommodated my request.

 

Of course, I have to remember not to use the cPanel filter function in the future because it will most certainly overwrite the filter that I had TCH set up for me.

 

As a final thought, it would be great if TCH could provide a way to create and maintain our own Exim filter file that doesn't conflict with the cPanel mechanism and doesn't require us to open a ticket to have TCH staff apply the change for us.

Edited December 28, 2006 by EdHosting

[TCH-Bruce]

Thank you for the update. As I said, it wasn't possible directly in cPanel. Glad the help desk was able to help you.

[Aeroknight]

Thank you for the update. As I said, it wasn't possible directly in cPanel. Glad the help desk was able to help you.

 

Bruce,

 

It is possible directly from cPanel - however there are limitations.

 

Basically add a filter for the 'Body' (I know we're looking at the 'headers' but I tried it and it didnt work but choosing the 'Body' does - dont ask me!) that 'matches regex' and in the field enter ^((?!xyz).)*$ - this basically triggers the filter if xyz ISN'T contained in the 'Body' (again headers would make sense but body is what works).

 

Basically this filter will look for xyz and if itsnt there the server can either Discard the msg or forward it to a sustect-spam quarantine account.

 

Regex are extremely powerful and in this case instead of looking for something (drugs, I AM A SPAMMER etc etc) we are having it look for something that is not there.

 

The example above is basic as can be if you want to get really complicated you could write it to filter and allow anything.

 

To mimic Ed Hosting filter requirements he can try: ^((?!xyz|abc).)*$ where abc and xyz are his spam filtering services' domain and total choice hosting's server's domain name respectively. If either abc or xyz appear the message will be delivered correctly. Of course xyz and abc can be replaced with anything you want (server99.snhdns.org is a perfectly valid replacement of abc).

 

Be careful though if a spammer delivers a msg to your A address (your TCH machine) instead of your MX record bypassing your spam service, abc will appear in the headers and the regex filter above will allow correct delivery anyway.

 

What i havent been able to have regex do is look for the argument in the first line (but then I havent even been able to have it check the headers at all).

 

Have fun!

[TCH-Bruce]

Thanks for the info AeroKnight. Never thoguht of trying that.

[EdHosting]

Be careful though if a spammer delivers a msg to your A address (your TCH machine) instead of your MX record bypassing your spam service, abc will appear in the headers and the regex filter above will allow correct delivery anyway.

Aeroknight, I don't think so. Even if the spammer sends the email directly to the TCH server via it's "A" record, the Exim MTA will always insert a "Received: from" header at the top of the email that includes the domain name and/or the ip address of the sending MTA server.

 

My only reason for including "tchmachines.com" in the filter I have applied is that I have a formmail script that runs on the server, and any emails that come from that script com in with a "Received: from serverxxx.tchmacines.com" header in them.

 

However, what a sneaky spammer could do is look up the mx record for my domain (which points to the ip addresses of my antispam servers) do a reverse dns lookup on the first one and insert a "Received: from" header into the email and then send it to my server via it's "A" record. In that case, the Exim filter I have shown will allow the email in because the required text would indeed be somewhere in the "Received:" headers.

 

Now if you look at the Exim filter spec I referenced previously, you'll note that it says that if there is more than one header line with the same name, their contents are concatenated. So if that concatenation works as I would expect it to, then the leftmost part of a "$header_received:" string in an Exim filter file should contain the address of the machine that the TCH server received the email from.

 

That said, it would be great if you or someone could provide a regex expression that evaluated the text that follows the first dot in the "$header_received" string. I think that would cover everything.

[Aeroknight]

Of course the most reliable way is to be on a dedicated machine where you have root access.

 

A VPS (Virtual Private Server) (a.k.a. Virtual Dedicated Server) will also do - these cost about the same as regular hosting plans these days but there only a handful of providers out there.

 

TCH - any plans for VPS? I'd buy one from you!

Edited January 2, 2007 by Aeroknight

[TCH-Thomas]

TCH - any plans for VPS?

Sorry, there are no plans at the moment that I am aware of.